Embed Size (px)
Citation preview
The Information-Centric Security
LifecycleRich Mogull
Securosis, L.L.C.
ecurosis.com
Mainframe Internet I Internet II
Jail Fortress ZoneNETWORK
ecurosis.com
But what about the information?
ecurosis.com
Network
Host
Application
Data
Use
r
Data
Host
Application
Network
ecurosis.com
InformationInformation
Host
Application
Network
Use
r
ecurosis.com
The Information-Centric Security
Lifecycle
ecurosis.com
Create
Destroy
Store
Share Archive
Use
ClassifyAssign Rights
Access ControlsEncryptionRights ManagementContent Discovery
Activity Monitoring and EnforcementRights ManagementLogical ControlsApplication Security
CMP (DLP)EncryptionLogical ControlsApplication Security
EncryptionAsset Management
Crypto-ShreddingSecure DeletionContent Discovery
ecurosis.com
ILM and Security
Create
Destroy
Store
Share Archive
Use
Creation and Receipt
Distribution
UseMaintenance
DispositionUse
ecurosis.com
• Content is classified as it’s created through content analysis or based on labeling of data elements.
• Rights are assigned, based on central policies.
• Mandatory and discretionary policies.
Create
ecurosis.com
Control Structured UnstructuredClassify None* None*
Assign Rights Label Security Enterprise DRM
Create
Create Technologies
Note- Classification is expected to emerge from DLP/CMP
ecurosis.com
Label Security
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
ID Last First Region Label
1111 Mogull Richard US Public
1112 Smith John EMEA Sensitive
Column
Row
ecurosis.com
Partial Document Matching
Exact File Matching
StatisticalDatabase Fingerprinting
CategoriesConceptual
^(?:(?<Visa>4\d{3})|(?<Mastercard>5[1-5]\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\d{2})|(?:30[0-5]\d))|(?
<AmericanExpress>3[47]\d{2}))([ -]?)(?(DinersClub)(?:\d{6}\1\d{4})|(?(AmericanExpress)(?:\d{6}\1\d{5})|(?:\d{4}\1\d{4}\1\d{4})))$
Rules
Content Analysis
ecurosis.com
• We use access controls, encryption, and rights management to protect data in storage.
• Content Discovery helps find unprotected sensitive data that slipped through the gaps.
Store
ecurosis.com
Store TechnologiesControl Structured Unstructured
Access ControlsDBMS Access Controls
Administrator Separation of Duties
File System Access ControlsDocument Management System Access Controls
EncryptionField Level Encryption
Application Level EncryptionFile/Media Encryption*
Media EncryptionFile Encryption
Distributed Encryption
Rights Management Label/Row Level Security Enterprise DRM
Content DiscoveryDatabase-Specific Discovery
Tools
DLP/CMF Content DiscoveryStorage/Data Classification
Tools
Store
ecurosis.com
AccessControls
Encryption DRM
ecurosis.com
Application/Database
File/Folder Media
Encryption Options
rmogull Phoenix asdfasdfasdfasdf
ecurosis.com
Content Discovery
Remote ScanningRemote Scanning
ecurosis.com
• Monitor and protect information during use.
• Includes business applications and productivity applications.
• Heavy use of content-aware technologies.
Use
ecurosis.com
Use Technologies
Control Structured Unstructured
Activity Monitoring and Enforcement
Database Activity MonitoringApplication Activity
Monitoring
Endpoint Activity MonitoringFile Activity Monitoring
Portable Device ControlEndpoint DLP
Rights Management Label Security Enterprise DRM
Logical ControlsObject (Row) Level Security
Structural ControlsApplication Logic
Application Security Implemented At Application LayerImplemented At Application Layer
Use
ecurosis.com
Two Sides Of Information-Centric Security
Data Center Productivity
ecurosis.com
CMP
CMP
Advanced Content Analysis
Real-Time DRM
CMP to ADMP Bridges
Managed and Unmanaged Systems
ecurosis.com
ADMP
Adaptive AuthenticationApplication NACActivity MonitoringAnti-ExploitationTransaction AuthenticationSession SecurityApplication Virtualization
ecurosis.com
Cross-Domain Information Protection
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
050
100150200
2007 2008 2009 2010
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
ecurosis.com
• Securely exchange information, inside and outside of the enterprise.
• A mixture of content-aware technologies and encryption for secure exchange.
Share
ecurosis.com
Share Technologies
Control Structured Unstructured
CMP/DLP Database Activity Monitoring(With DLP Feature)
Network/Endpoint CMP/DLP
Encryption*Only When Data Elements Not Otherwise
Encrypted
Network EncryptionApplication Level Encryption
Email EncryptionFile Encryption
Network Encryption
Logical ControlsObject (Row) Level Security
Structural Controls
Application Security Implemented At Application LayerImplemented At Application Layer
Share
ecurosis.com
Inter-Organization Encryption vs. DRM
ecurosis.com
• Protect information in archival storage.
• Encryption and asset management
Archive
ecurosis.com
Archive Technologies
Control Structured Unstructured
Encryption Field-Level EncryptionTape Encryption
Storage Encryption(Multiple Options)
Asset Management Asset Management Asset Management
Archive
ecurosis.com
Tape Encryption Options
In-line Drive Software
ecurosis.com
• Ensure data is not recoverable at end of life
• Content discovery to ensure dangerous data isn’t hiding where it shouldn’t be.
Destroy
ecurosis.com
Destroy Technologies
Control Structured UnstructuredCrypto-Shredding Enterprise Key Management Enterprise Key Management
Secure Deletion Disk/Free Space Wiping Disk/Free Space Wiping
Physical Destruction Physical Destruction Physical Destruction
Content DiscoveryDatabase-Specific Discovery
Tools
DLP/CMF Content DiscoveryStorage/Data Classification
ToolsEnterprise Search
E-Discovery
Destroy
ecurosis.com
Create
Destroy
Store
Share Archive
Use
ClassifyAssign Rights
Access ControlsEncryptionRights ManagementContent Discovery
Activity Monitoring and EnforcementRights ManagementLogical ControlsApplication Security
CMP (DLP)EncryptionLogical ControlsApplication Security
EncryptionAsset Management
Crypto-ShreddingSecure DeletionContent Discovery
